RFR: 8327114: Attach in Linux may have wrong behaviour when pid == ns_pid (Kubernetes debug container) [v3]
Sebastian Lövdahl
duke at openjdk.org
Wed May 22 19:01:02 UTC 2024
On Wed, 22 May 2024 18:40:00 GMT, Larry Cable <duke at openjdk.org> wrote:
> I haven't but I will BTW which linux capabilities should be enabled in order to prevent a /proc/... style attach due to lack of permissions to access target's /proc fs? Rgds - Larry
I know for sure that `CAP_NET_BIND_SERVICE` prevents access to `/proc/<pid>/root` at least. I don't know if there's any distinction between the different privileges a process can have to be honest, but I somehow got the impression that having _any_ privilege restricts access to `/proc/<pid>/root` (among others). But right now I cannot recall what gave me that impression. There's a long list of capabilities though: https://man7.org/linux/man-pages/man7/capabilities.7.html
> it lives ...it lives!!!
>
> I love it when a patch comes together!
>
> :)
>
> thx for testing this before my 1dt cup of coffee!
Great feeling indeed! Ah, the best cup of the day, have a good one :)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/19055#issuecomment-2125541556
More information about the serviceability-dev
mailing list